Symantec SSL/TLS Certificate distrust


#1

Hi folks! Further to the rollout of Symentec certificates being distrusted by all major browsers, I note that Firefox Beta & Nightly (63 & 64) now show the Oyster payment portal as an untrusted site:

Please not that Firefox version 63 lands October 23, and Google Chrome will distrust these certificates for its users approximately TWO WEEKS EARLIER than this. Do not fail to take action on this or your users will be

For more:
Mozilla Security blog from March 2018 - https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
DigiCert blog from April 2018 (who took over these certificates from Symantec) - https://www.digicert.com/blog/getting-ahead-chrome-70-distrust-symantec-issued-certificates/


#2

Test your sites using Mozilla’s Observatory tool - https://observatory.mozilla.org/analyze/https://oyster.tfl.gov.uk/oyster/entry.do
Google Security blog also from March 2018 - https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html


#3

Hi @david_ross

We are aware that the Symantec certs are becoming untrusted in Firefox and Chrome shortly.

My colleagues who manage the Oyster site attempted to update the certs to a new provider last week but there were issues that we had to request re-issue of the cert.

We are going to attempt this again this week and we should be able to get the new certificate before the Firefox and Chrome updates come in to place for non-beta users.

thanks,
James
Service Performance Manager - Digital


#4

Thanks for the transparency! Best of luck to the team involved for the next crack at i t.


#5

This appears to now have been fixed. Nice work TFL.
:smiley_cat:


#6

Thanks @david_ross - the payments team deployed the new cert yesterday afternoon.